How secret SARS unit spied on South Africans: report

A “covert unit” within the South African Revenue Service used a surveillance software suite known as FinFisher to spy on the computer activities of its targets, Carte Blanche reported on 22 February 2015.

FinFisher can collect screenshots, logs of keystrokes, audio from Skype calls, passwords, and other data according to reports by Citizen Lab, and WikiLeaks.

News of Sars’ use of spyware comes after the Sunday Times reported towards the end of 2014 that a secret unit inside South Africa’s tax agency called the National Research Group (NRG) became a law unto itself.

Members of this group reportedly worked to infiltrate the ANC, looked into non-tax related matters such as taxi violence, and were used to fight the business battles of friends and relatives of senior Sars officials.

NRG was also allegedly ordered to follow top Sars officials like Leonard Radebe, Nandi Madiba, and Mandisa Mokoena to find information on them and destroy their careers.

FinFisher in South Africa

The fact that FinFisher spyware was being used in South Africa was first alluded to in April 2013 when Citizen Lab released a report saying that command and control (C&C) servers for the software were detected on Telkom’s network.

Citizen Lab’s report made headlines around the world because it revealed that one version of FinFisher’s spyware programs masqueraded as Mozilla Firefox.

While FinFisher didn’t infect Firefox, it impersonated it to fool Windows and anti-virus programs into believing it was legitimate software.

Mozilla slapped the company behind FinFisher with a cease-and-desist, demanding that it stop using Mozilla’s trademarks and branding.

FinFisher on the Telkom network

When Telkom was asked about the IP addresses where Citizen Lab found the FinFisher C&C servers in South Africa, it said the addresses were part of the dynamic pool allocated to ADSL users.

Then, in September 2014, WikiLeaks released new documents asserting that the South African government spent over €2 million on FinFisher between 2009 and 2012.

Sars was asked to confirm that its recently exposed covert unit had procured FinFisher, and whether the figures released by WikiLeaks were accurate.

A spokesperson for the tax agency said Sars was not prepared to comment on media speculation.

“We have internal processes underway as regards the allegations of rogue behaviour by a small group of Sars staff, and will not jeopardise those processes by responding to each and every allegation as it is made to the media.”